ISO/IEC 11770-2:1996

INTERNATIONAL lSO/IEC
STANDARD 11770-2
First edition
1996-04-15
Information technology - Security
techniques -
Key management -
Part 2:
Mechanisms using symmetric techniques
Technologies de Yin forma tion - Techniques de s&urit@ - Gestion
de cl& -
Partie 2: Mkanismes utilisan t des techniques sym&-iques
Reference number
ISO/IEC 117702 1996(E)

---------------------- Page: 1 ----------------------
ISO/IEC 11770-2: 1996(E)
Foreword
for Standardization) and IEC (the
ISO (the International Organization
International Electrotechnical Commission) form the specialized System for
worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical
committees established by the respective organization to deal with particular
Felds of technical activity. ISO and IEC technical committees collaborate in
fields of mutual interest. Other international organizations, govemmental and
non-govemmental, in liaison with ISO and IEC, also take part in the work.
In the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1. Drafi International Standards adopted by
the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75% of the
national bodies casting a vote.
International Standard ISO/IEC 11770-2 was prepared by Joint Technical
Committee ISO/IEC JTC 1, Information technology, Sub-committee SC 27, IT
Security techniques.
ISO/IEC 11770 consists of the following Parts, under the general title
Information technology - Security techniques - Key management:
- Part 1: Key management framework
- Part 2: Mechanisms using symmetric techniques
- Part 3: Mechanisms using asymmetric techniques
Further Parts may follow.
Annexes A, B and C of this part of ISO/IEC 11770 are for information only.
0 ISO/IEC 1996
All rights reserved. Unless otherwise specified, no gart of this publication may
be reproduced or utilized in any form or by any means, electronie or mechanical,
including photocopying and microfilm, without Permission in writing from the
publisher.
ISO/IEC Copyright Office l Case Postale 56 l CH-121 1 Geneve 20 l
Switzerland
Printed in Switzerland
ii

---------------------- Page: 2 ----------------------
INTERNATIONAL STANDARD @ ISO/IEC
ISO/IEC 11770-2: 1996(E;
Information technology
- Security techniques -
QY
management -
Part 2:
Mechanisms using symmetric techniaues
1 Scope 2 Normative References
The purpose of key management is to provide procedures The following Standards contain provisions which, through
for handling cryptographic keying material to be used in reference in this text, constitute provisions of this part of
syrnmetric or asymmetric cryptographic algorithms ISO/IEC 11770. At the time of publication, the editions
according to the security policy in forte. This part of indicated were valid. All Standards are subject to revision,
ISO/IEC 11770 defines key establishment mechanisms and Parties to agreements based on this part of ISO/IEC
using symmetric cryptographic techniques. 11770 are encouraged to investigate the possibility of
applying the most recent editions of the Standards indicated
establishment mechanisms using symmetric
KeY
below. Members of IEC and ISO maintain registers of
cryptographic techniques tan be derived from entity
currently valid International Standards.
authentication mechanisms of ISO/IEC 9798-2 and
ISO/IEC 9798-4 by specifying the use of text fields ISO 7498-2: 1989, Information processing Systems - Open
available in those mechanisms. Other key establishment Systems Interconnection - Basic Reference Model - Part 2:
mechanisms exist for specific environments; see for Security Architecture.
example ISO 8732. Besides key establishment, goals of
ISO/IEC 9798-2: 1994, Information technology - Security
such a mechanism may include unilateral or mutual
techniques - Entity authentication - Part 2: Mechanisms
authentication of the communicating entities. Further goals
using symmetric encipherment algorithms.
may be the verification of the integrity of the established
key, or key confirmation.
ISO/IEC 9798-4: 1995, Information technology - Security
techniques - Entity authentication - Part 4: Mechanisms
This part of ISOIIEC 11770 addresses three environments
using a cryptographic check function.
for the establishment of keys: Point-to-Point, Key
Distribution Centre (KDC) and Key Translation Centre
ISO/IEC 11770-1: - ‘, Information technology - Security
(KTC). This part of ISO/IEC 11770 describes the required
techniques - Key management - Part I: Key management
content of messages which carry keying material or are
framework.
necessary to set up the conditions under which the keying
material tan be established. The document does not
indicate other information which may be contained in the
messages or specify other messages such as error 3 Definitions and Notation
messages. The explicit format of messages is not within the
3.1 Definitions
scope of this part of ISO/IEC 11770.
For the purposes of this part of ISO/IEC 11770 the
This part of ISO/IEC 11770 does not explicitly address the
definitions given in ISO/IEC 11770-1 apply. In addition,
issue of interdomain key management. This part of
this part of ISO/IEC 11770 makes use of the following
ISO/IEC 11770 also does not define the implementation of
terms:
key management mechanisms; there may be different
3.1.1 distinguishing identifier: Information which
products that comply with this part of ISO/IEC 11770 and
unambiguously distinguishes an entity.
yet are not compatible.
1 To be published.

---------------------- Page: 3 ----------------------
ISO/IEC 11770-2: 1996(E) 0 ISO/IEC
3.1.2 entity authentication: The corroboration that an TVPx is a time variant Parameter issued by entity X.
entity is the one claimed.
is the result of the encipherment of data
Z with a
WZ)
3.1.3 key confirmation: The assurance for one entity symmetric algorithm using the key K.
that another identified entity is in possession of
is the result of the decipherment of data
Z with a
the correct key.
symmetric algorithm using the key K.
3.1.4 key control: The ability to choose the key, or
is the result of a cryptographic check function
the Parameters used in the key computation.
computed on data Z using the key K. vK(Z) is
3.1.5 key generating function: A function which also called message authentication code
(MAC)
takes as input a number of Parameters, at least and may be denoted as macK(Z).
one of which shall be secret, and which gives as
f denotes a key generating function.
output keys appropriate for the intended
is the result of the concatenation of data items X
x II y
algorithm and application. The function shall
and Y in that Order.
have the property that it shall be computationally
infeasible to deduce the output without Prior
knowledge of the secret input.
The Felds Ted, Text2, . . .
specified in the mechanisms
may contain optional data for use in applications outside
3.1.6 Point-to-Point key establishment: The direct
the scope of this part of ISOIIEC 11770 (they may be
establishment of keys between entities, without
empty). Their relationship and contents depend upon the
involving a third Party.
specific application. One such possible application is
3.1.7 random number: A time variant Parameter
message authentication (see annex B for an example).
whose value is unpredictable.
Likewise, optional plaintext text fields may be prepended
3.1.8 redundancy: Any information that is known
or appended to any of the messages. They have no security
and tan be checked.
implications and are not explicitly included in the
3.1.9 sequence number: A time variant Parameter
mechanisms specified in this part of ISO/IEC 11770.
whose value is taken from a specified sequence
which is non-repeating within a certain time
Data items that are optional in the mechanisms are shown
period.
in italics.
3.1.10 time variant Parameter: A data item used to
verify that a message is not a replay, such as a
random number, a sequence number, or a time
4 Requirements
stamp.
The key establishment mechanisms specified in this part of
ISO/IEC 11770 make use of symmetric cryptographic
techniques,
more specifically symmetric encipherment
3.2 Notation
algorithms and/or key generating mnctions. The
Throughout this part of ISO/IEC 11770 the following
cryptographic algorithms and the key life-time shall be
notation is used:
Chosen such that it is computationally infeasible for a key
X is the distinguishing identifier of entity X.
to be deduced during its life-time. If the following
additional requirements are not met, the key establishment
KDC denotes a Key Distribution Centre.
process may be compromised or it cannot be implemented.
KTC denotes a Key Translation Centre.
For those mechanisms making use of a symmetric
T is the distinguishing identifier of the Key
encipherment algorithm, either assumption a) or
Distribution Centre or the Key Translation
assumption b) is required.
Centre.
The encipherment algorithm, its mode of Operation
a>
F denotes keying material.
and the redundancy in the plaintext shall provide the
is a secret key associated with the entities X and
KXY
recipient with the means to detect forged or
Y.
manipulated data.
R is a random number.
The integrity of the enciphered data shall be ensured
b)
is a random number issued by entity X.
Rx
by a data integrity mechanism. If a hash-function is
T/N is a tirne stamp or a sequence number.
used for this purpose the hash-code shall either be
is a time stamp or a sequence number issued by
TxfNx
appended to the data before encipherment or be
entity X.
placed in a plaintext text field.
TVP is a time variant Parameter.

---------------------- Page: 4 ----------------------
0 ISO/IEC
ISO/IEC 11770-2: 1996(h
NOTES
5.1 Key Establishment Mechanism 1
1 - Modes of Operation for block tipher algorithms are
In key establishment mechanism 1 the key K is derived
standardized in ISO/IEC 10116.
from a time variant Parameter TVP, e.g., a random number
2 - A data integrity mechanism is standardized in
R, a time stamp T, or a sequence number N, using a key
ISO/IEC 9797. Hash-functions are standardized in
generating function. Key establishment mechanism 1
ISO/IEC 10118.
provides no authentication of the key K established by the
mechanism. The mechanism requires that A is able to
3 - When a KDC or KTC is involved, assumptions a) and
generate a TVP.
b) are not always equivalent in terms of the ability to
detect unambiguously on which link an active attack is
being performed. See Annex B for examples.
”
.:
. . . .
(1) -l-VP
<: .’
‘.
‘<. ‘:
i .< ::
:. :
In each exchange specified in the mechanisms of clauses 5,
1.
A :. B .<.
” ‘:.
I-i d!YIYl
6 and 7, the recipient of a message shall know the claimed
identity of the originator. If this is not the case from the
Figure 1 - Mechanism 1
context in which the mechanism is being used then this
could, e.g., be achieved by the inclusion of identifiers in
additional plaintext text Felds of certain of the messages.
Steps:
Keying material may be established using either secure or
A generates a random number R, a time stamp T, or
(1)
insecure comrnunication channels. When using only
a sequence number N and transfers it to B.
symmetric cryptographic techniques, at least the first key
(la) Both A and B then derive the key K by using a key
shall be exchanged between two entities using a secure
channel in Order to allow secure communications.
generating function f with inputs the shared secret
key KAB and the time variant Parameter TVP:
The key establishment mechanisms in this part of ISO/IEC
11770 require the use of time variant Parameters such as K = f(KAB, TVP).
time stamps, sequence numbers, or random numbers. In
See Annex B for examples of possible key
this context the use of the term random number also
generating functions.
The
includes unpredictable pseudo-random numbers.
properties of these Parameters, in particular that they are
non-repeating, are important for the security of these
NOTE - To also provide authentication, key establishment
mechanisms. For additional information on time variant
mechanism 1 may be combined with an authentication
Parameters see Annex B of ISO/IEC 9798-2.
mechanism as specified in 9798-2 or 9798-4. See annex B
for an example.
5 Point-to-Point Key Establishment
5.2 Key Establishment Mechanism 2
The basic mechanism of every key establishment scheme is
Point-to-Point key establishment which requires that the
In key establishment mechanism 2 the key K is supplied by
entities already share a key so that further keys may be
entity A. The mechanism provides no authentication of the
established directly between the entities.
key K established by the mechanism nor does it provide
entity authentication.
mech anisms specified in this
For the implementation of the
clause it is assumed that
A key KAB is shared by the entities A and B.
At least one of A or B is able to generate, acquire or
(1) eKAB( F 11 Text? )
contribute to a secret key K as described in the
individual mechanism.
concerned with the
Security requirements are
confidentiality of K, and modiflcation and replay
Figure 2 - Mechanism 2
detection.
3

---------------------- Page: 5 ----------------------
0 ISO/IEC
ISO/IEC 11770-2: 1996(E)
provides unilateral authentication, i.e.,
entity A is
Steps:
authenticated by the mechanism. Uniqueness/timeliness is
(1) A sends B the keying material F (key K and
controlled by a random number RB. The mechanism
optional data) enciphered with KAB.
requires that B is able to generate random numbers.
(la) On receipt of the message, B deciphers the
enciphered part and thus obtains the key K.
(1) RB
(2) eKm(b 11 B 11 F 11 Texf?) .B
5.3 Key Establishment Mechanism 3
A
~~
.1_1
Key establishment mechanism 3 is derived from the one
pass entity authentication mechanism of ISO/IEC 9798-2,
Figure 4 - Mechanism 4
clause 5.1.1. In this mechanism the key K is supplied by
entity A. Key establishment mechanism 3 provides
unilateral authentication, i.e., entity A is authenticated by
Steps:
the mechanism. Uniqueness/timeliness is controlled by
B sends A a random number RB.
(1)
time stamps or sequence numbers. The mechanism requires
sends B the received number RB, the
that both A and B are able to maintain mechanisms for (2) A
distinguishing identifier B, and the keying material
generating or verifying the validity of time stamps T or
sequence numbers N.
F (key K and optional data). The inclusion of the
distinguishing identifier B is optional. The data
fields are enciphered with KAR.
(1) eKAB(TN 11 B 11 F 11 Textf)
(2a) On receipt of message (2), B deciphers the
enciphered Part, Checks the correctness of its
distinguishing identifier, if present, Checks that the
random number RB, sent to A in step (1), was used
Figure 3 - Mechanism 3
in constructing message (2), and obtains the key K.
Steps:
NOTE - Distinguishing identifier B is included in step (2)
(1) A sends B a time stamp or sequence number T/N, to prevent a Substitution attack, i.e., the re-use of this
message by an adversary masquerading as B (see Annex
the distinguishing identifier B, and the keying
A). In environments where such attacks cannot occur, the
material F (key K and optional data). The inclusion
identifier may be omitted.
of the distinguishing identifier B is optional. The
data fields are enciphered with KAB.
(la) On receipt of the message, B deciphers the
5.5 Key Establishment Mechanism 5
Checks the correctness of its
enciphered Part,
distinguishing identifier, if present, Checks the time
Key establishment mechanism 5 is derived from the two
stamp or sequence number, and obtains the key K. pass mutual authentication mechanism of ISO/IEC 9798-2,
clause 5.2.1. This mechanism enables both A and B to
contribute part of the established key K. Key establishment
NOTE - Distinguishing identifier B is included in step (1)
mechanism 5 provides mutual authentication, i.e., both
to prevent a Substitution attack, i.e., the re-use of this
communicating entities are authenticated by the
message by an adversary masquerading as B (see Annex
mechanism. Uniqueness/timeliness is controlled by time
A). In environments where such attacks cannot occur, the
stamps or sequence numbers. The mechanism requires that
identifier may be omitted.
both A and B are able to maintain mechanisms for
generating and ver@ing the validity of time stamps T or
sequence numbers N.
5.4 Key Establishment Mechanism 4
Steps:
A sends B a time stamp or sequence number
(11
Key establishment mechanism 4 is derived from the two
TA/NA, the distinguishing identifier B, and the
pass unilateral entity authentication mechanism of ISO/IEC
keying material FA. The inclusion of the
9798-2, clause 5.1.2. In this mechanism the key K is
supplied by entity A. Key establishment mechanism 4

---------------------- Page: 6 ----------------------
@ ISOIIEC ISO/IEC 11770-2: 1996(L
11 B 11 FA 11 Text-l)
(1) eKAB(TdNA
(2) eKAB( RA 11 RB 11 B 11 FA 11 Texf?)
Fe 11 Text2)
(3) eKAB( RB 11 RA 11
(2) eKAB(Te/Ne 11 A 11 FB 11 TexQ)
Figure 5 - Mechanism 5 Figure 6 - Mechanism 6
distinguishing identifier B is optional. The data mechanism. Uniqueness/timeliness is controlled by random
numbers. The mechanism requires that both A and B are
Felds are enciphered with KAB.
able to generate random numbers.
a
On receipt of message (1), B deciphers the
(1 >
Steps:
enciphered Part, Checks the correctness of its
B sends A a random number RB.
distinguishing identifier, if present, and Checks the
(1)
time stamp or sequence number.
A sends B a random number RA, the received
(2)
B sends A a time stamp or sequence number TB/NB, number RB, the distinguishing identifier B, and the
(2)
keying material FA. The inclusion of the
the distinguishing identifier A, and the keying
distinguishing identifier B is optional. The data
material FB. The inclusion of the distinguishing
Felds are enciphered with KAB.
identifier A is optional. The data Felds are
enciphered with KAB.
a On receipt of message (2), B deciphers the
(2 >
enciphered Part, Checks the correctness of its
a On receipt of message (2), A deciphers the
(2 >
distinguishing identifier, if present, and Checks that
enciphered Part, Checks the correctness of its
the random number RB, sent to A in step (l), was
distinguishing identifier, if present, and Checks the
used in constructing message (2).
time stamp or sequence number.
B sends A the random numbers RB and RA, and the
Both A and B derive the key K by using a key
(3)
keying material FB. The data fields are enciphered
generating function f with inputs the secret keying
with KAB.
material Felds FA and Fg:
a On receipt of message (3), A deciphers the
K = f(FA,FB).
(3 )
enciphered part and Checks that the random number
See Annex B for examples of possible key
RA, sent to B in step (2), was used in constructing
generating functions.
message (3).
Both A and B derive the key K by using a key
w9
NOTES
generating function f with inputs the secret keying
1 - In key establishment mechanism 5, either of the two
material fields FA and Fg:
keying material fields FA or FB may be empty, but not
K = f(FA,FB).
both.
2 - Distinguishing identifier B is included in step (1) to
See Annex B for examples of possible key
prevent the re-use of this message by an adversary
generating functions.
masquerading as B. For similar reasons, distinguishing
identifier A is present in step (2). In environments where
NOTES
such attacks cannot occur, one or both of the identifiers
may be omitted. 1 - In key establishment mechanism 6, either of the two
keying material fields FA or FB may be empty, but not
both.
2 - Distinguishing identifier B is included in step (2) to
5.6 Key Establishment Mechanism 6
prevent reflection attacks. In environments where such
Key establishment mechanism 6 is derived from the three attacks cannot occur, the identifier may be omitted.
pass authentication mechanism of ISO/IEC 9798-2, clause
3 - A variant of key establishment mechanism 6 tan be
5.2.2. This mechanism enables both A and B to contribute
constructed from two parallel instances of mechanism 4,
part of the established key K. Key establishment
one started by entity A and the other by entity B.
mechanism 6 provides mutual authentication, i.e., both
communicating entities are authenticated by the

---------------------- Page: 7 ----------------------
ISO/IEC 11770-2: 1996(E) 0 ISO/IEC
6 Key Distribution Centre 6.1 Key Establishment Mechanism 7
The purpose of a Key Distribution Centre (KDC) is to
In key establishment mechanism 7 the key K is supplied by
generate or acquire and distribute keys to entities that each
the Key Distribution Centre. The mechanism provides no
share a key with the KDC.
authentication of the key K established by the mechanism.
In this clause, four key establishment mechanisms are
Steps:
specified. In the first three mechanisms one of the two
A requests keying material from the KDC by
0
entities requests a key K from the KDC for later
sending a message to the KDC that contains the
distribution to the other entity. The KDC generates or
distinguishing identifier of the recipient B.
acquires the key K and sends a message to the requesting
The KDC sends a protected message to A that
entity protected by a key shared with this entity. This
(2)
message contains a second message protected by a key
contains the keying material F (key K and optional
shared between the KDC and the second entity, which then
data). This message consists of 2 main Parts:
tan be sent by the requesting entity to the ultimate
a ekvr( F 11 B 11 Ted )
0
recipient. For the last mechanism the KDC generates or
acquires the key K and sends it directly to each
eKBT( F 11 A 11 Text,? )
(b)
communicating entity. The messages are protected using
(2a) On receipt of message (2), A deciphers part (a),
the keys which the KDC shares with the corresponding
Checks the correctness of the distinguishing
entities. If required, authentication of the requesting entity
identifer and obtains the key K.
by the KDC may be ensured by the inclusion of a MAC in
a plaintext text field of the requesting message.
A forwards part (b) of message (2) to B.
(3)
For all these mechanisms, only the KDC has to have the
(3a) On receipt of message (3) B deciphers the
ability to generate or otherwise acquire keys. Following the
enciphered Part, Checks the correctness of the
distribution of a key by the KDC, the two entities may
distinguishing identifer and also obtains the key K.
operate in a Point-to-Point mode.
For the implementation of the mechanisms specified in this
clause it is assumed that
6.2 Key Establishment Mechanism 8
There is a trusted third Party T, the Key Distribution
Key establishment mechanism 8 is derived from the four
Centre, with which A and B share secret keys, KAT and
pass authentication mechanism of ISO/IEC 9798-2, clause
KBT respectively. The KDC shall be able to generate or
6.1. In this mechanism the key K is supplied by the Key
otherwise acquire a key K.
Distribution Centre. Key establishment mechanism 8
optionally provides mutual authentication,
The KDC is on-line with the entity requesting a key. i.e., both
communicating entities tan be authenticated by the
Security requirements are concemed with the
mechanism. Uniqueness/timeliness is controlled by time
confidentiality of K, modification and replay detection,
stamps or sequence numbers. The mechanism requires that
and the detection of Substitution attacks.
A, B, and the KDC are able to maintain mechanisms for
generating and verifying the validity of time stamps T or
sequence numbers N.
(1) B
(2) eh-( F 11 B 11 Text7 ) 11 eKBT( F 11 A 11 Text2 )
(1) (2)
tl
(3) ebT( F 11 A 11 Text2 )
Figure 7 - Mechanism 7

---------------------- Page: 8 ----------------------
@ ISO/IEC ISO/IEC 11770-2: 1996(L
(4a) On receipt of message (4), A deciphers it anc
Steps:
Checks the correctness of the time variant Parameter
A requests keying material from the KDC by
(1)
and of the distinguishing identifier.
sending a message to the KDC that contains a time
variant Parameter TVPA (a random number, time
NOTES
stamp, or sequence number) and the distinguishing
identifier of the recipient B. 1 - The encipherment algorithm e used in the optional key
confirmation process may differ from the encipherment
The KDC sends a protected message to A that
algorithm (also denoted by e) used for key distribution.
contains the keying material F (key K and optional
2 - To achieve mutual authentication and conformance
data). This message consists of 2 main Parts:
with the four pass authentication mechanism specified in
a
&n'( TVPA 11 F 11 B 11 7hd >
0
ISO/IEC 9798-2 the Options in Steps (3) and (3b) and
optional Steps (4) and (4a) need to be included.
~KBT(TT~T If F 11 A 11 T'xt2)
09
a On receipt of message (2), A deciphers part (a),
(2 >
Checks that the time variant Parameter TVPA, sent
6.3 Key Establishment Mechanism 9
to the KDC in step (1), was used in constructing
message (2), Checks the correctness of the
Key establishment mechanism 9 is derived from the five
distinguishing identifier, and obtains the key K.
pass authentication mechanism of ISO/IEC 9798-2, clause
6.2. In this mechanism the key K is supplied by the Key
A forwards part (b) of message (2) to B. Message
(3)
Distribution Centre. Key establishment mechanism 9
(3) optionally contains a data field eK(TA/NA 11 B jI
optionally provides mutual authentication, i.e., both
Text3) which enables B to check the integrity of the
communicating entities tan be authenticated by the
key K retrieved from F.
mechanism. Uniqueness/timeliness is controlled by random
numbers. The mechanism requires that A, B and the KDC
a On receipt of message (3), B deciphers the first Part,
(3 >
are able to generate random numbers.
Checks the correctness of the time stamp or
sequence nunaber, and obtains the key K. The
Steps:
distinguishing identifier indicates to B that the key
B initiates the mechanism by sending a random
(1)
was requested by A.
number RB to A.
B deciphers the second part of message (3), if
m
A requests keying material frorn the KDC by
(2)
present, and Checks the correctness of the time
sending a message to the KDC that contains a
variant Parameter and of its distinguishing identifier.
random number RA, the random number RB, and
the distinguishing identifier of B.
Optional:
The KDC sends a protected message to A that
(3)
The following tan be omitted if no or only unilateral entity
contains the keying material F (key K and optional
authentication is required.
data). This message consists of 2 main Parts:
B retums eK(TB/NB 11 A )I Ted) to A thereby
(4)
a
&4T( RA 11 F 11 B 11 Text1 )
acknowledging that it shares the key K. 0
eGrr( RB 11 F 11 A 11 Ed )
(W
(1) TVPA 11 B
(2) eKAT(TVh 11 F 11 B 11 Text?) 11 eKeT(TT/NT 11 F 11 A 11 Texf2)
eKBT(TT/NT 11 F 11 A 11 TexQ) 11 eK(TA/NA 11 B 11 Text3)
(3)
Figure 8 - Mechanism 8

---------------------- Page: 9 ----------------------
ISO/IEC 11770-2: 1996(E) @ ISO/IEC
ISO/IEC 9798-2 the Options in Steps (4) and (4b) and
(3a) On receipt of message (3), A deciphers part (a),
optional Steps (5) and (5a) need to be included.
Checks that the random number RA, sent to the
KDC in step (2), was used in constructing message
(3), Checks the correctness of the distinguishing
6.4 Key Establishment Mechanism 10
identifier, and retrieves the key K.
A forwards part (b) of message (3) to B. Message
(4) In key establishment mechanism 10 the KDC distributes
(4) optionally contains a data field eK(R ’A 11 RB 11 the keying material directly to both entities. The
mechanism provides mutual authentication between A and
7&3) which incorporates random numbers RB and
the KDC and unilateral authentication from the KDC to B.
R ’A and enables B to check the integrity of the key
Uniqueness/timeliness is controlled by time stamps or
K retrieved from F.
sequence numbers. The mechanism requires that A, B, and
(4a) On receipt of message (4), B deciphers the first Part,
the KDC are able to maintain mechanisms for generating
Checks that the random number RB, sent to A in
or verifying the validity of time stamps T or sequence
step (1), was used in constructing message (4) and numbers N.
obtains the key K. The distinguishing identifier
Steps:
indicates to B that the key was requested by A.
A requests keying material from the KDC by
0
(4b) B deciphers the second part of message (4) if
sending a message to the KDC that contains a time
present, and Checks that the random number RB,
stamp or sequence nunaber TA/NA,
and the
sent to A in step (l), was used in constructing the
distinguishing identifier of the recipient B. The data
second part of message (4).
fields are enciphered with KAT.
a On receipt of message (1) the KDC deciphers it and
Optional: (I >
Checks the correctness of the time stamp or
The following tan be omitted if no or only unilateral entity
sequence number.
authentication is required.
The KDC returns a message to A that contains a
B returns eK(RB 11 R ’A 11 Text4) to A thereby (2)
(5)
time time stamp or sequence number TT/NT, the
acknowledging that it also shares the key K. Step
distinguishing identifier of B, and the keying
(5) requires the Option described in step (4).
material F. The data Fel
...